Date: Sat, 17 Apr 2004 13:26:10 +0300 From: Dancho Penev <dpenev@mnet.bg> To: Ben Beuchler <insyte@emt-p.org> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Identifying traffic logged by ipfw Message-ID: <20040417102610.GA1040@earth.dpsca.bg> In-Reply-To: <20040416175131.GA31191@emt-p.org> References: <20040416175131.GA31191@emt-p.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--7AUc2qLy4jB3hD7Z
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Apr 16, 2004 at 12:51:31PM -0500, Ben Beuchler wrote:
>Date: Fri, 16 Apr 2004 12:51:31 -0500
>From: Ben Beuchler <insyte@emt-p.org>
>To: freebsd-questions@freebsd.org
>Subject: Identifying traffic logged by ipfw
>
>I'm working on a new bridging firewall using ipfw on FBSD 5.1. The goal
>is to default to closed with a few exceptions. To test my ruleset, I end
>with this rule:
>
>add 420 allow log ip from any to any
>
>The idea is that by watching the logs I could see what protocols I forgot
>to create rules for. This is what I'm getting in the logs:
>
>Apr 16 16:43:40 bfw kernel: ipfw: 420 Accept MAC in via em2
>
>I'm guessing this means it's matching non-ip traffic, but I couldn't find
>any info to confirm this. Is there any sort of trick I could use to log
>the entire packet? Since nothing about the source or destination was
>logged, I don't have enough info to create a tcpdump filter. Perhaps some
>sort of divert rule?
I don't now about FreeBSD 5.1, but on -CURRENT I use follow patch
for /sys/netinet/ip_fw2.c :
--- ip_fw2.c.orig Fri Dec 26 15:21:46 2003
+++ ip_fw2.c Sun Jan 25 22:45:45 2004
@@ -577,6 +577,16 @@
=20
if (hlen =3D=3D 0) { /* non-ip */
snprintf(SNPARGS(proto, 0), "MAC");
+ if (eh !=3D NULL)
+ snprintf(SNPARGS(proto, 3),
+ " %02x:%02x:%02x:%02x:%02x:%02x %02x:%02x:%02x:%02x:%02x:%02x 0x%04x",
+ eh->ether_dhost[0], eh->ether_dhost[1],
+ eh->ether_dhost[2], eh->ether_dhost[3],
+ eh->ether_dhost[4], eh->ether_dhost[5],
+ eh->ether_shost[0], eh->ether_shost[1],
+ eh->ether_shost[2], eh->ether_shost[3],
+ eh->ether_shost[4], eh->ether_shost[5],
+ ntohs(eh->ether_type));
} else {
struct ip *ip =3D mtod(m, struct ip *);
/* these three are all aliases to the same thing */
>
>Thanks!
>
>-Ben
>
>--=20
>Ben Beuchler There is no spoon.
>insyte@emt-p.org -- The Matrix
>_______________________________________________
>freebsd-questions@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.or=
g"
>
--=20
Dancho Penev
GnuGP public key: http://www.mnet.bg/~dpenev/gnupg.key
Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2 7554 2AA8 C347 71A1 4277
--7AUc2qLy4jB3hD7Z
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFAgQZCKqjDR3GhQncRAgTcAJ4yfcIhy4VblUH261QERHdKIkieZwCguZze
T4a7Ek0ieQfm6jl3t+hpmrw=
=jA77
-----END PGP SIGNATURE-----
--7AUc2qLy4jB3hD7Z--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040417102610.GA1040>